Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJwaDctajlxci1oOHE4

Potential Command Injection in codem-transcode

When the ffprobe functionality is enabled on the server, HTTP POST requests can be made to /probe. These requests are passed to the ffprobe binary on the server. Through this HTTP endpoint it is possible to send a malformed source file name to ffprobe that results in arbitrary command execution.

Mitigating Factors:

The ffprobe functionality is not enabled by default. In addition, exploitation opportunities are limited in a standard configuration because the server binds to the local interface by default.

Recommendation

An updated and patched version of the module (version 0.5.0) is available via npm. Users who have enabled the ffprobe functionality are especially encouraged to upgrade..

Permalink: https://github.com/advisories/GHSA-rph7-j9qr-h8q8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXJwaDctajlxci1oOHE4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: over 1 year ago


CVSS Score: 8.1
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-rph7-j9qr-h8q8, CVE-2013-7377
References: Blast Radius: 6.8

Affected Packages

npm:codem-transcode
Dependent packages: 1
Dependent repositories: 7
Downloads: 73 last month
Affected Version Ranges: < 0.5.0
Fixed in: 0.5.0
All affected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4
All unaffected versions: 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.5.9, 0.5.10, 0.5.11